The Hacker News — Cyber Security, Hacking, Technology News

While the whole world was waiting for the next generation of Windows operating system, i.e. Windows 9, but skipping right over 9, Microsoft has announced the next version of its Windows is Windows 10, disclosing its first details on Tuesday at an event in San Francisco.

The latest version of Microsoft’s flagship operating system, which will be available for everyone next year, brings back the popular Start Menu, which had been removed from Windows 8.

Windows 10 will be Microsoft’s single platform for developing apps across all devices, from Smartphones and tablets to desktop PCs. However, Windows 10 will not be a one-size-fits-all operating system and instead will vary a bit from device to device.

"Windows 10 will run on the broadest amount of devices. A tailored experience for each device," Microsoft's executive VP of operating systems, Terry Myerson said at a press event here Tuesday. "There will be one way to write a universal application, one store, one way for apps to be discovered purchased and updated across all of these devices."

"Some of these devices you hold in your hand, others are ten feet away," Microsoft said. "Some of these devices you primarily use touch/pen, others mouse/keyboard, others controller/gesture—and some devices can switch between input types. We’re not talking about one UI to rule them all—we’re talking about one product family, with a tailored experience for each device."

Codenamed as Windows Threshold, Windows 10 will come with customizable live tiles in the new Start menu, which will look familiar to Windows 7. Among other features, Windows 10 will provide new options for re-sizing windows, multiple desktops, and a convenient "task view" to switch between them.

The resizable tiles will provide users a quick view of notifications from relevant applications, such as details of new emails, Facebook messages, weather forecast updates and more.

Other features include Task View – which supports multiple desktops, and Snap Assist – which lets you grab apps from multiple desktops. The Windows command prompt has also been improved.

The announcement of an updated Windows operating system doesn't come as a complete surprise, as the leaked images of the latest Windows OS – under the codename "Threshold" – spreaded online which gave a closer look at Microsoft’s next major version of Windows. The only surprise is that the latest version of Windows is Windows 10, instead of Windows 9.

"We believe that, together with the feedback you provide us, we can build a product that all of our customers will love," Myerson said. "It will be our most open collaborative OS projects ever."

Microsoft has open up the OS to dedicated beta testers under its Windows 10 "Insider Program" for individuals to start testing and already reached out to companies to evaluate the new operating system as well. Windows 10 is still in its early stages of development and is expected to ship in mid 2015.

The Federal Bureau of Investigation (FBI) has arrested the CEO of a UK-based company for allegedly advertising and selling a spyware app to individuals who suspect their romantic partners of cheating on them.

The dodgy cell phone spyware application, dubbed as StealthGenie, monitors victims’ phone calls, text messages, videos, emails and other communications "without detection" when it is installed on a target's phone, according to the Department of Justice.

The chief executive officer of a mobile spyware maker is a Pakistani man collared 31-year-old Hammad Akbar, of Lahore, who was arrested over the weekend in Los Angeles for flogging StealthGenie spyware application and now faces a number of federal charges.

According to the US Department of Justice, Akbar operates a company called InvoCode, which sold the StealthGenie spyware app online that can intercept communications to and from mobile phones including Apple, Google, and BlackBerry devices.

The company's business plan for the product focused on "the spousal cheat" market, which was expected to constitute 65 percent of the StealthGenie app purchasers, as the plan even spelled that out, stating that the target audience was cheating spouses and romantic partners.

"According to our market research, the majority chunk of the sales will come from people suspecting their partners to be cheating on them or wanting to keep an eye on them," the business plan stated according to the indictment.

Once installed on the phone, it allows conversations to be monitored as they take place, enables the purchaser to call the phone and activate it at any time to monitor all surrounding conversations within a 15-foot radius, and collects the user’s incoming and outgoing email and SMS messages, incoming voicemail, address book, calendar, photographs, and videos. All of these functions are enabled without the knowledge of the user of the phone.

StealthGenie spyware application, according to the law enforcement agency, is able to:

Record all incoming/outgoing voice calls;

Intercept calls on the phone to be monitored while they take place;

Allow the attackers to call the phone and activate the app any time in order to monitor all surrounding conversations within a 15-foot radius;

The federal prosecutors said this case is the first time that the US Department of Justice has prosecuted someone for advertising and selling mobile device spyware apps that targets adults.

"Selling spyware is not just reprehensible, it's a crime," Assistant Attorney General Leslie Caldwell of the Justice Department's Criminal Division said in a statement. "Apps like StealthGenie are expressly designed for use by stalkers and domestic abusers who want to know every detail of a victim's personal life--all without the victim's knowledge."

Akbar was charged with conspiracy, sale of a surreptitious interception device, advertisement of a known interception device and advertising a device as a surreptitious interception device in US District Court for the Eastern District of Virginia.

At the beginning of the month, Apple was criticized for the security flaw in its iCloud file storage service that, according to multiple media outlets, allowed hackers to allegedly retrieve nude photos of a number of high-profile celebrities. And Now, the company’s newly launched iOS 8 has been reportedly found vulnerable to another critical bug that is troubling Apple iOS 8 users.

After the launch of iOS 8, some minor bugs was reported in its operating system which was quickly fixed in Apple’s iOS 8.0.1. But, the critical vulnerability discovered in iOS 8.0.1 seems to be deleting data stored in iCloud Drive without the user's permission.

The bug was uncovered by MacRumors after its forum members complaint about the issue triggered by the option to "Reset All Settings," which is typically supposed to reset your network settings to give your iOS device a clean slate to work with, but it turns out the feature is also deleting all your files from iCloud Drive.

Under the General category in Settings for iOS 8, the Reset All Settings option is supposed to simply reset your iOS settings while retaining your data and media, as the option explicitly says that "No data or media will be deleted."

But unfortunately, that's not the case with the users who have the new iOS installed in their Apple devices, as certain iCloud documents also wiped out after users press the Reset All Settings button.

User comments on the issue also suggest that the bug seems to be specific to documents from iWork apps, such as Pages, Keynote and Numbers, according to MacRumors. There have been multiple confirmed reports from users who lost all of their iWork documents after using the option, and the user who first noticed the issue has reported that only Apple’s productivity apps were impacted, but other data files remained in iCloud.

These documents don’t just vanish from the iOS 8 device, either. They disappear from the web-based iCloud Drive manager as well as systems running OS X Yosemite. Only you can retrieve all your documents from there, if you have a backup for your files. But, if you don't have a backup, your documents are gone forever.

MacRumors conducted its own test on the bug and reported, "In our own testing, using "Reset All Settings" deleted all iWork documents stored in iCloud Drive on the iPhone and on iCloud.com. After allowing time for syncing to a Mac running OS X Yosemite, all of the documents disappeared from that machine as well. Preview and TextEdit documents, which cannot be accessed on the iPhone, remained untouched on the Mac."

Until the issue is addressed by Apple, users who have iCloud Drive enabled are advised to avoid using the "Reset All Settings" option on their devices, in order to protect their important documents stored in iCloud Drive from getting erased.

Apple’s iCloud was also in recent controversies when the highly-publicized celebrity photos were leaked online due to Apple’s insufficient security measures on certain functions.

Tails, a Linux-based highly secure Operating System specially designed and optimized to preserve users' anonymity and privacy, has launched its new release, Tails version 1.1.2.

Tails, also known as 'Amnesiac Incognito Live System', is a free security-focused Debian-based Linux distribution, which has a suite of applications that can be installed on a USB stick, an SD card or a DVD. It keeps users’ communications private by running all connectivity through Tor, the network that routes traffic through various layers of servers and encrypts data.

The operating system came into limelight when the global surveillance whistleblower Edward Snowden said that he had used it in order to remain Anonymous and keep his communications hidden from the law enforcement authorities.

The new version 1.1.2 addresses a single but critical vulnerability which arises because the Network Security Services (NSS) libraries parser used by Firefox and other browsers is capable of being tricked into accepting forged RSA certificate signatures.

"We prepared this release mainly to fix a serious flaw in the Network Security Services (NSS) library used by Firefox and other products allows attackers to create forged RSA certificates," reads the Tails official website.

"Before this release, users on a compromised network could be directed to sites using a fraudulent certificate and mistake them for legitimate sites. This could deceive them into revealing personal information such as usernames and passwords. It may also deceive users into downloading malware if they believe it's coming from a trusted site."

Cyber criminals may use Man-in-the-middle (MitM) attacks by impersonating as a bank or webmail provider and tricking online users into handing over their login credentials that can be then passed on to the legitimate organisation.

Tails 1.1.2 comes with the following security updates:

Updated TOR version (based on Firefox 24.8.0 ESR+tails3~bpo70+1)

New Linux kernel has been added, 3.16-1

Numerous other software upgrades that fix security issues in GnuPG, APT, DBus, Bash, and packages built from the bind9 and libav source packages

Mozilla Firefox also released a quick security patches for its Firefox versions and Thunderbird, as its open source browser is vulnerable to SSL man-in-the-middle attacks due to RSA certificate forgery. The patches are already available.

Firefox ESR 31.1.1, Firefox ESR 24.8.1, Thunderbird 31.1.1, and Thunderbird 24.8.1 have been updated to NSS 3.16.2.1. Also Firefox 32.0.3 and SeaMonkey 2.29.1 have been updated to NSS 3.16.5.

It seems like there is no end of “nude celebrity photo leaks”. As part of the Fappening 3 hack, some new naked photos of Jennifer Lawrence have apparently been leaked online in the “third round” of nude celebrity photo leaks including, top model Cara Delevingne, actress Anna Kendrick.

On Friday, new celebrity nude photos were leaked online, labelled as ‘The Fappening 3’ by subreddits and 4chan communities. The release appears to be part of the massive leak that began in August and has continued with 55 more nude photos of a three-time Oscar nominee who won for her role in Silver Linings Playbook, Jennifer Lawrence hitting the Internet once again.

Other female identities targeted by the latest Leaked Nude photo scandal include American Olympic gold medallist Misty May Treanor and actors Alexandra Chando, Kelli Garner and Lauren O’Neil. However, there are several pictures that show the celebrities were partying away in some pretty revealing outfits.

Earlier this week, the second edition of the massive leak related to the celebrities intimate-images including Kim Kardashian, Vanessa Hudgens and others were leaked online by an unknown hackers. The naked pictures were allegedly retrieved due to a “brute force” security flaw in Apple’s iCloud file storage service.

After the iCloud leaked photos began appearing on the Internet for the first time, Jennifer Lawrence also contacted FBI who are conducting investigations into the apparent widespread invasion of personal accounts thought to be connected to the iCloud service.

"This is a flagrant violation of privacy," Lawrence's publicist Liz Mahoney wrote in a statement. "The authorities have been contacted and will prosecute anyone who posts the stolen photos of Jennifer Lawrence."

The fappening incident is currently under FBI investigation. However, Apple has already investigated the matter and had earlier this month confirmed there had been a "very targeted attack" on certain celebrities, rather than a widespread security breach affecting all users.

“After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.”

There is also the possibility that the nude celebrity photos may have come from a different source. But whatever the source would be, this never ending massive privacy breach of high-profile celebs once again questioned the security and privacy of users online data.

On one hand where more than half of the Internet is considering the Bash vulnerability to be severe, Apple says the vast majority of Mac computer users are not at risk from the recently discovered vulnerability in the Bash command-line interpreter – aka the "Shellshock" bug that could allow hackers to take over an operating system completely.

Apple has issued a public statement in response to this issue, assuring its OS X users that most of them are safe from any potential attacks through the ShellShock Vulnerability, which security experts have warned affect operating systems, including Mac's OS X.

"The vast majority of OS X users are not at risk to recently reported bash vulnerabilities," Apple said. "Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users."

According to Apple, in OS X majority of users are considered to be safe so long as they haven’t configured any advanced access. Soon the company will also issue an OS X update to fix the potential hole, till then the OS X users are advised to make sure that they don’t enable any advanced UNIX options before the patch releases.

The critical vulnerability in the widely used Linux and Unix command-line shell, known as Bash or the GNU Bourne Again Shell, affects versions 1.14 through 4.3 of GNU Bash and is based on how Bash handles environment variables. By creating a function as part of the variable, it's possible to execute commands when the variable is evaluated.

The exploit reportedly affects most Linux- and Unix-based operating systems around the world, including OS X.

Researchers on Thursday also discovered that the ShellShock vulnerability has been exploited by the cyber criminals in the wild to take over Web servers as part of a botnet attack that is currently trying to infect other servers as well.

The Bash glitch has been described as more worse than the Heartbleed security flaw, discovered in April, that left all the information stored on data servers potentially vulnerable to hackers. Over 300,000 servers were still vulnerable to the most critical OpenSSL bug two months after the bug was first identified.

Users are advised to do not panic and avoid using advance services that can be exploited by the ShellShock vulnerability for quite sometime before the official patch for the issue is not released.

Till then, you may patch yourself using an unofficial patch that fixes the problem and claimed to completely addresses both vulnerabilities. In an email to the Open Source Software Security (oss-sec) mailing list, the maintainer of Bash, Chet Ramey addressed the vulnerability and issued the patch, but there is as of yet no official fix for the issue.

Researchers on Thursday discovered a critical remotely exploitable vulnerability in the widely used command-line shell GNU Bourne Again Shell (Bash), dubbed "Shellshock" which affects most of the Linux distributions and servers worldwide, and may already have been exploited in the wild to take over Web servers as part of a botnet that is currently trying to infect other servers as well.

BOTNET ATTACK IN THE WILD

The bot was discovered by the security researcher with the Twitter handle @yinettesys, who reported it on Github and said it appeared to be remotely controlled by miscreants, which indicates that the vulnerability is already being used maliciously by the hackers.

The vulnerability (CVE-2014-6271), which came to light on Wednesday, affects versions 1.14 through 4.3 of GNU Bash and could become a dangerous threat to Linux/Unix and Apple users if the patches to BASH are not applied to the operating systems.

However, the patches for the vulnerability were released but there was some concern that the initial fix for the issue still left Bash vulnerable to attack, according to a new US CERT National Vulnerability Database entry. There is as of yet no official patch that completely addresses both vulnerabilities, including the second, which allows an attacker to overwrite files on the targeted system.

SHELLSHOCK vs THE INTERNET

Robert Graham of Errata Security observed that the major internet scan is already being used by the cyber criminals in order to locate vulnerable servers for cyber attack. During a scan, Graham found about 3,000 servers that were vulnerable "just on port 80" — the Internet Protocol port used for normal Web Hypertext Transfer Protocol (HTTP) requests.

The Internet scan broke after a short while, which means that there could be a wide numbers of other servers vulnerable to the attack.

"It's things like CGI scripts that are vulnerable, deep within a website (like CPanel's /cgi-sys/defaultwebpage.cgi)," Graham wrote in a blog post. "Getting just the root page is the thing least likely to be vulnerable. Spidering the site and testing well-known CGI scripts (like the CPanel one) would give a lot more results—at least 10x."

In addition, Graham said, "this thing is clearly wormable and can easily worm past firewalls and infect lots of systems. One key question is whether Mac OS X and iPhone DHCP service is vulnerable—once the worm gets behind a firewall and runs a hostile DHCP server, that would be 'game over' for large networks."

32 ORACLE PRODUCTS VULNERABLE
Oracle has also confirmed that over 32 of its products are affected by the "Shellshock" vulnerability including some expensive integrated hardware systems of the company. The company warned its users to wait a bit longer for the complete patch, by issuing a security alert regarding the Bash bug on Friday.

"Oracle is still investigating this issue and will provide fixes for affected products as soon as they have been fully tested and determined to provide effective mitigation against the vulnerability," the company said.

PATCH ISSUED, BUT INCOMPLETE
Patches were released from most of the Linux distributions, but Red Hat has updated an advisory warning that the patch is incomplete, the same issue that was also raised by infosec community on Twitter.

"Red Hat has become aware that the patches shipped for this issue are incomplete," said Red Hat security engineer Huzaifa Sidhpurwala. "An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions The new issue has been assigned CVE-2014-7169."

Although people are urged to apply the released patch to thwart most attacks on the affected systems, another patch is expected to release as soon as possible.

Users might have praised the technology companies for efforts to encrypt their latest devices that would prevent law enforcement agencies’ hands on users’ private data, but the FBI is not at all happy with Apple and Google right now.

The Federal Bureau of Investigation director, James Comey, said Thursday he was "very concerned" over Apple and Google using stronger or full encryption in their Smartphones and Tablets that makes it impossible for law enforcement to collar criminals.

According to Comey, the Silicon Valley tech giants are "marketing something expressly to allow people to place themselves above the law."

"There will come a day – well it comes every day in this business – when it will matter a great, great deal to the lives of people of all kinds that we be able to with judicial authorization gain access to a kidnapper's or a terrorist or a criminal's device," Comey told reporters.

"I just want to make sure we have a good conversation in this country before that day comes. I'd hate to have people look at me and say, 'Well how come you can't save this kid,' 'How come you can't do this thing.'"

The move is in the response to the revelations of mass surveillance conducted by the US National Security Agency (NSA), revealed by former contractor Edward Snowden, that triggered a large-scale movement worldwide towards deploying encryption across all the Digital Services.

The FBI remarks come following both privacy changes introduced by Apple as well as Google. Just last week, Google announced it would be providing data encryption by default with its next version of Android i.e. Android L.

While Apple with the release of iOS 8 earlier this month, allowed iPhone and iPad users to encrypt most personal data with a password. Also last week, the company introduced enhanced encryption for iOS 8 devices under which it will no longer store the encryption keys for devices in iOS 8, making it impossible for the company to decrypt a locked device, even on law enforcement request.

"Unlike our competitors, Apple cannot bypass your pass code and therefore cannot access this data," Apple said in its new privacy policy, updated on Wednesday. "So it's not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8."

Google’s announcement for by default encryption comes a day after Apple revealed that it is expanding its two-factor authentication process to include the iCloud storage system, which was recently targeted by hackers to extract over 100 nude celebrities photos.

Comey said he agreed-upon the privacy concerns in the wake of NSA leaker Edward Snowden's revelations about massive US government surveillance. But he also noted that the FBI sometimes has an urgent need to access users’ data, such as in cases of terrorism or kidnappings.

"I am a huge believer in the rule of law, but I am also a believer that no one in this country is above the law," Comey moaned. "What concerns me about this is companies marketing something expressly to allow people to place themselves above the law."

Despite criticism from the FBI, it's improbable that Apple or Google is going to step back from their efforts, because the technology companies again will not compromise with their reputation in the market where many are criticised in past to put backdoors in their products for law enforcement agencies.

A Critical remotely exploitable vulnerability has been discovered in the widely used Linux and Unix command-line shell, known as Bash, aka the GNU Bourne Again Shell, leaving countless websites, servers, PCs, OS X Macs, various home routers, and many more open to the cyber criminals.

Earlier today, Stephane Chazelas publicly disclosed the technical details of the remote code execution vulnerability in Bash which affects most of the Linux distributions and servers worldwide.

REMOTELY EXPLOITABLE SHELLSHOCK

The vulnerability (CVE-2014-6271) affects versions 1.14 through 4.3 of GNU Bash and being named as Bash Bug, and Shellshock by the Security researchers on the Internet discussions.

According to the technical details, a hacker could exploit this bash bug to execute shell commands remotely on a target machine using specifically crafted variables. “In many common configurations, this vulnerability is exploitable over the network,” Stephane said.

This 22-year-old vulnerability stems from the way bash handles specially-formatted environment variables, namely exported shell functions. When assigning a function to a variable, trailing code in the function definition will be executed.

BASH BUG AFFECTS MILLIONS OF SYSTEMS

While bash is not directly used by remote users, but it is a common shell for evaluating and executing commands from other programs, such as web server or the mail server. So if an application calls the Bash shell command via web HTTP or a Common-Gateway Interface (CGI) in a way that allows a user to insert data, the web server could be hacked.

In Simple words, If Bash has been configured as the default system shell, an attacker could launch malicious code on the server just by sending a specially crafted malicious web request by setting headers in a web request, or by setting weird mime types. Proof-of-concept code for cgi-bin reverse shell has been posted on the Internet.

Similar attacks are possible via OpenSSH, “We have also verified that this vulnerability is exposed in ssh—but only to authenticated sessions. Web applications like cgi-scripts may be vulnerable based on a number of factors; including calling other applications through a shell, or evaluating sections of code through a shell.” Stephane warned. But if an attacker does not have an SSH account this exploit would not work.

This is a serious risk to Internet infrastructure, just like Heartbleed bug, because Linux not only runs the majority of the servers but also large number of embedded devices, including Mac OS X laptops and Android devices are also running the vulnerable version of bash Software. NIST vulnerability database has rated this vulnerability “10 out of 10” in terms of severity.

HOW TO CHECK FOR VULNERABLE SHELL

To determine if a Linux or Unix system is vulnerable, run the following command lines in your linux shell:

env X="() { :;} ; echo shellshock" /bin/sh -c "echo completed"

env X="() { :;} ; echo shellshock" `which bash` -c "echo completed"

If you see the words "shellshock" in the output, errrrr… then you are at risk.

BASH BUG PATCH

You are recommended to disable any CGI scripts that call on the shell, but it does not fully mitigate the vulnerability. Many of the major operating system and Linux distribution vendors have released the new bash software versions today, including:

The official website of the popular cross-platform JavaScript library jQuery (jquery.com) has been compromised and redirecting its visitors to a third-party website hosting the RIG exploit kit, in order to distribute information-stealing malware.

JQuery is a free and open source JavaScript library designed to simplify the client-side scripting of HTML. It is used to build AJAX applications and other dynamic content easily. The popular JavaScript library is used by 30 percent of websites, including 70 percent of the top 10,000 most visited websites.

James Pleger, Director of Research at Risk management software company RiskIQ, reported yesterday that the attack against jQuery.com web servers launched for a short period of time on the afternoon of September 18th.

So, the users who visited the website on September 18th may have infected their system with data-stealing malware by redirecting users to the website hosting RIG. Pleger urged those who visited the site during the alleged attack to re-image their systems, reset passwords for user accounts that have been used on the systems, and also look for any suspicious activity if originated from the offending system or not.

"However, discovering information-stealing malware on jQuery.com is particularly disconcerting because of the demographic of jQuery users [who are] generally IT systems administrators and web developers, including a large contingent who work within enterprises," Pleger wrote.

The RIG exploit kit is often used to deliver banking Trojans and other information-stealing malware. The researcher said he detected malware on compromised machines that steals credentials and other data.

"Planting malware capable of stealing credentials on devices owned by privilege accounts holders inside companies could allow attackers to silently compromise enterprise systems, similar to what happened in the infamous Target breach."

RiskIQ researchers have immediately notified the jQuery Foundation about the issue. But in response, jQuery Foundation said that their internal investigation into the servers and logs didn't find the RIG exploit kit or evidence that there was a compromise.

The Rig Exploit Kit was first spotted in April this year, which checks for an un-patched version of Flash, Internet Explorer, Java or the Silverlight multimedia program on the infected users and if found, the system is instantly exploited by the bad actors. It was also used to distribute Cryptowall Ransomware back in June.

UPDATE

In an official blog post, Ralph Whitbeck from jQuery.com commented about RiskIQ findings:

"Our internal investigation into our servers and logs have not yet found the RIG exploit kit or evidence that there was in fact a compromise."

But Yes, "Currently the only potential system compromised is the web software or server that runs jquery.com." and "At no time have the hosted jQuery libraries been compromised."

"Even though we don’t have immediate evidence of compromise, we have taken the proper precautions to ensure our servers are secure and clean." he added.

The developers of one of the most advance open source operating system for penetration testing, 'KALI Linux' have announced yesterday the release of a new Kali project, known as NetHunter, that runs on a Google Nexus device.

Kali Linux is an open source Debian-based operating system for penetration testing and forensics, which is maintained and funded by Offensive Security, a provider of world-class information security training and penetration testing services. It comes wrapped with a collection of penetration testing and network monitoring tools used for testing of software privacy and security.

After making its influence in hacker and security circles, Kali Linux has now been published with Kali Nethunter, a version of the security suite for Android devices. The tool is a mobile distribution designed to compromise systems via USB when installed and run on an Android phone.

“Our NetHunter images support programmable HID keyboard attacks, (a-la-teensy), as well as “BadUSB” network attacks, allowing an attacker to easily MITM an unsuspecting target by simply connecting their device to a computer USB port,” the Offensive Security team said. “In addition to these built in features, we’ve got a whole set of native Kali Linux tools available for use, many of which are configurable through a simple web interface.”

Nethunter is currently available for Nexus devices only, but builds for other Android devices are likely on the way. Nethunter contained a full Kali Linux toolset, including support for self destruction, software defined radio and the ability to launch a Kali desktop VNC session on Nexus phone.

The tools are designed for use by an attacker who has physical access to a device — an insider threat — or someone who gains access through social engineering, tailing etc.

On one hand, Teensy Keyboard attacks on PCs can be used to automatically elevate privileges on a Windows PC and install a reverse-HTTP tunnel to a remote workstation. On the other hand, BadUSB can force a Windows PC to recognize the USB-connected phone as a network adapter and re-route all the traffic of the PC through it for monitoring purposes.

Additionally, the Kali NetHunter configuration interface helps users to easily manage complex configuration files through a local web interface, which together with 802.11 wireless injection and a pre-configured connect VPN service make it a “formidable network security tool or discrete drop box – with Kali Linux at the tip of your fingers wherever you are.”

Kali NetHunter open source security platform supports Nexus 10 and 7 tablets and Nexus 5 phones built on the existing Kali (formerly Backtrack) Linux platform. The official Kali NetHunter images can be downloaded from the Offensive Security NetHunter download page.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

TripAdvisor's Online travel booking and review website Viator has reportedly been hit by a massive data breach at its that may have exposed payment card details and account credentials of its customers, affecting an estimated 1.4 million of its customers.

The San Francisco-based Viator, acquired by TripAdvisor – the world's largest travel site – for £122 million (US$ 200 million) back in July, admitted late on Friday that the intruders have hacked into some of its customers' payment card accounts and made unauthorized charges.

The data breach was discovered in the bookings made through Viator's websites and mobile offerings that could potentially affect payment card data.

Viator said that the company has hired forensic experts to figure out the extent of the breach. Meanwhile, the company has begun notifying its affected customers about the security breach as said by the travel outfit in a press release.

“On September 2, we were informed by our payment card service provider that unauthorized charges occurred on a number of our customers' credit cards,” Viator wrote. “We have hired forensic experts, notified law enforcement and we have been working diligently and comprehensively to investigate the incident, identify how our systems may have been impacted, and secure our systems.”

“While our investigation is ongoing, we are in the process of notifying approximately 1.4 million Viator customers, who had some form of information potentially affected by the compromise.”

During investigation it found that the cyber criminals have broken into its internal databases and accessed the payment card data – including encrypted credit or debit card number, card expiration date, name, billing address and email address – of approximately 880,000 customers, and possibly their Viator account information that includes email address, encrypted password and Viator 'nickname.'

Additionally, the intruders may have also accessed the Viator account information, including email addresses and encrypted passwords, of over 560,000 Viator customers.

According to the company, Debit-card PIN numbers were not included in the breach because Viator does not store them. The travel advisor said that they believe that the CVV number, the security numbers printed on the back of the customer’s credit card, were also not stolen in the breach.

For those who are affected by the breach in United States, Viator is offering them identity protection and credit card monitoring services for free and and the company is also investigating the possibility of offering similar services to customers outside the country.

Meanwhile, the company has warned its affected customers to regularly monitor their card activity and report any fraudulent charges to their card company. “Customers will not be responsible for fraudulent charges to their accounts if they are reported in a timely manner,” Viator said.

Viator also recommends its users to change their password for the site, as well as all other websites that uses the same credentials.

The Pirate Bay is the world's largest torrent tracker site which handles requests from millions of users everyday and is in the top 100 most visited websites on the Internet. Generally, The Pirate Bay is famous for potentially hosting illegal contents on its website.

Despite years of persecution, it continues to disobey copyright laws worldwide. Even both the founders of The Pirate Bay (TPB) file exchange service were arrested by the authorities and are in prison, but their notorious pirated content exchange continues to receive millions of unique visitors daily. That’s really Strange!! But how??

Recently, The Pirate Bay team has revealed how cloud technology made its service’s virtual servers truly secure to avoid police raids and detection.

While it doesn't own any physical servers, The Pirate Bay is working on “virtual machines” through a few commercial cloud hosting services, even without knowing that whom they are dealing with.

According to TorrentFreak report, at present The Pirate Bay has 21 virtual machines (VMs) that are hosted around the globe at different cloud provider.

The cloud technology eliminate the use of any crucial pieces of hardware, thus saved cost, guaranteed better uptime, and made the site more portable, and therefore made the torrent harder to take down.

The Pirate Bay operates using 182 GB of RAM and 94 GPU cores, with total storage capacity of 620 GB, which actually are not used in full.

Out of 21 VMs, eight of the VMs are used to serve web pages, six are dedicated to handling searches, while two VMs currently runs the site’s database and the remaining five virtual machines are used for load balancing, statistics, the proxy site on port 80, torrent storage and for the controller.

Interestingly, the commercial cloud hosting providers have no ideas that The Pirate Bay is using their services, because all traffic goes through the load balancer, which masks the activities of other virtual machines from the cloud providers. This clearly means that none of the IP-addresses of the cloud hosting providers are publicly linked to The Pirate Bay, so that should keep them safe.

While, in case of closure of some of these cloud servers by the police, it is always possible to move VMs to another location in a relatively short duration of time. Just like when back in 2006 in Sweden, police raided The Pirate Bay's hosting company, seizing everything from blank CDs to fax machines and servers, taking down the site. But, it took just three days to return in its normal state.

Facebook going to charge users per month?? Nobody expected such a news story this week, but it seems that Facebook will No longer be a Free Service, according to reports claimed by the National Report, "Facebook To Begin Charging Users $2.99/mo Starting November 1st", which turns out fake. Thank God !!

This new report is circulating via social media which claims that the social networking giant will begin charging charging $2.99 (€2.33) per month for each user starting November 1, 2014 in an effort to fight against the rising costs the company is facing.

Of course, the claims are simply untrue. Facebook has not announced any such plans to begin charging its users a monthly fee for access to the regular site services that has more than 1.3 billion monthly users.

NICELY FRAMED HOAX

The report comes via the 'satirical' fake-news website, which is a complete Hoax, just like many similar 'Facebook to start charging' hoaxes before it. But What make it different from those other hoaxes?? It’s the way it framed so nicely that it acquired everybody's attention on the the Internet.

“At a press conference this morning, Facebook rolled out their monthly service plan which begins November 1st of this year. The social media giant says they will start charging members $2.99/mo to use the services that the site has to offer,” reads the fake news report.

Not just this, the fake-news article also quoted some fake statements from Facebook CEO Mark Zuckerberg, which made it even more convincing.

“After thinking long and hard about this decision, at the end of the day, we were forced to add this monthly fee,” said Facebook founder and CEO Mark Zuckerberg. “If we don't do something about our rising costs now, Facebook could cease to exist in the near future.”

FACEBOOK IS FREE AND ALWAYS WILL BE

National Report considers itself as Satirical, as in its disclaimer, the site mentioned that it is a news and political satire web publication, which may or may not use real names, sometimes in semi-real or wholly fictitious ways. Although many are confused about this because there are so many fake news that are making their way out of the site and are believed to be true.

The site also reads that every news article on their website is fiction and fake news, which do not relate with the truth in any way. But, the fact that the site presents their news in a manner similar to that of other legitimate news websites makes things much more difficult to distinguish.

For those who believe this story to be true are informed, regardless of all claims that Facebook is about to start charging, that these claims are totally nonsense. Facebook isn’t charging its users for their services, and according to their own homepage, it says, 'It's free and always will be'.

Always take a while to verify these kind of sensational claims regarding Facebook or any other online services. also, don't spread any misinformation and junk with your Facebook friends, before confirming the whole thing.

A new surge of malware has been discovered which goes on to infect hundreds of thousands of computers worldwide and allegedly steals users’ social and banking site credentials.

Few days back, a list of 5 million combinations of Gmail addresses and passwords were leaked online. The search engine giant, Google said that Gmail credentials didn’t come from the security breaches of its system, rather the credentials had been stolen by phishing campaigns and unauthorized access to user accounts.

Just now, we come across another similar incident where cyber criminals are using a malware which has already compromised thousands of Windows users worldwide in an effort to steal their Social Media account, Online account and Banking account Credentials.

A Greek Security Researcher recently discovered a malware sample via a spam campaign (caught in a corporate honeypot), targeting large number of computers users rapidly. He investigated and posted a detailed technical analyses of the malware on his blog.

After reverse engineer the malware sample file, he found that the cybercriminals are using a combination of software AutoIT (Automate day-to-day tasks on computers) and a "commercial" Keylogger named "Limitless Keylogger" to make it FUD i.e. Fully Undetectable from static analysis.

Keylogger is a critical type of software program for cyber criminals, which records every input typed into the keyboard and easily detects passwords for users’ Email accounts, Social Media accounts and Online Bank accounts.

This malicious application captures every keystrokes users press and send them to a specified email address linked to the cyber criminal. More interestingly, the malware uses AutoIT in order to evade detection by Antivirus programs.

The malware distributed in the spam campaign comes as a WinRAR SFX executable file with a custom icon which drops 4 malicious files onto the victim’s computers with hidden and system attributes.

The Malware archive includes:

AutoIT script ‘update.exe’ of 331MB

Python script to “deobfuscate” AutoIT script

oziryzkvvcpm.AWX - Settings for AutoIT script

sgym.VQA – Another Encrypted malware/Payload Binary

Initially the obfuscated AutoIT Script is of size 331MB, because it contains lots of garbage content, but after deobfuscate process it becomes only 55kbyte in size with clean malicious code.

Researcher found lot of functions and various functionalities in the malware code those allow the malicious software to protect itself from detection.

On Further reserve engineering, he found that the malware sends the collected keystroke data to the cybercriminal via SMTP email server. So he sniffed the whole conversation of malware SMTP traffic and discovered that the keylogger was sending all keystrokes of the user, screenshots, recovery data (saved passwords from several applications/browsers) to an email ID - “ontherun4sales@yandex.ru”.

He also extracted the hardcoded SMTP email ID username and passwords of the respective Yandex mail address from the malware source code.

Researcher told SecNews, “The detection was accomplished in the past few days and found that the malware was being Greek is targeting users (minimum numerical cases).”

“Possibly some Indonesian hackers might have used the malicious software available on the Russian hacking forum sites” they said. "and the targets are well known companies from retail industry,oil,airlines etc"

At last, the researcher also disclosed some online FTP servers using Google hacks, where the data has been uploaded by the different variants of the Limitless Logger by various hacking groups.

The search engine giant Google will soon come up with its next version of Android operating system, dubbed as Android L, with full-disk encryption enabled by default, Google confirmed Thursday.

This will be for the first time that Google’s Android OS will be encrypting your information, preventing both hackers and law enforcement agencies from gaining access to users’ personal and highly sensitive data on their devices running the Android operating system.

While Android has been offering data encryption options for some Android devices since 2011. However the options are not enabled by default, so users have had to activate the functionality manually. But Android L will have new activation procedures that will encrypt data automatically.

Although Google is yet to provide more details about Android L, which is set to be released next month. But the move by the web giant will surely provide an extra layer of security on the personal data that users typically have on their Android Smartphones.

“For over three years Android has offered encryption, and keys are not stored off of the device, so they cannot be shared with law enforcement,” a spokeswoman for the company Niki Christoff has told The Washington Post. “As part of our next Android release, encryption will be enabled by default out of the box, so you won't even have to think about turning it on.”

Google’s announcement for by default encryption comes a day after Apple revealed that it is expanding its two-factor authentication process to include the iCloud storage system, which was recently targeted by hackers to extract over 100 nude celebrities photos.

Meanwhile, Apple also announced that the latest version of its mobile operating system iOS 8 are protected by new automatic encryption methods that prevent even Apple from accessing its users’ personal and sensitive information.

"Unlike our competitors, Apple cannot bypass your pass code and therefore cannot access this data," Apple said in its new privacy policy, updated on Wednesday. "So it's not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8."

Android is the most popular operating system for Smartphones in the world. So, by making the platform more secure, billions of Android users personal data can be protected from hackers as well as law enforcement agencies.

Technology titans are considering encryption a top priority in the wake of revelations by former National Security Agency contractor Edward Snowden that the NSA conducted mass collection of users’ phone and email communications. Till this new release of Android L operating system, if you want to set up encryption on your Android phone today, Google has instructions here.

Four month ago, a massive data breach on the eBay website affected 145 million registered users worldwide after its database was compromised. Meanwhile, another critical vulnerability on the eBay website was reported, allowing an attacker to hijack millions of user accounts in bulk.

An Egyptian security researcher ‘Yasser H. Ali’ informed The Hacker News about this vulnerability 4 months ago, which could be used by the cyber criminals in the targeted attacks. At that time, Mr.Yasser secretly demonstrated the vulnerability step-by-step to ‘The Hacker News’ team and we confirmed - IT WORKS.

Since it was not addressed by the eBay security team, we kept the technical details of this vulnerability hidden from our readers. But, as we promised to share the technical details of this interesting flaw, once after eBay team patch it. So, Here we go!

The vulnerability Yasserfound could allow you to Reset Password of any eBay user account and that too without any user interaction or dependency. The only thing you required is the login email ID or username of the victim you want to hack.

BUT HOW TO HACK ANY eBAY ACCOUNT?

Basically to recover the forgotten password, user is first redirected to a password reset page, where eBay page first generates a random code value as HTML form parameter “reqinput”, which is visible to the attacker as well using Browser’s inspect element tool.

After the user provides his/her email id and presses the submit button, eBay generates a second random code, which is unknown to anybody else except the users themselves, and send the code along with a password reset link to the eBay user with the registered email address.

Once the user clicks on the password reset link provided in the email, user will be redirected to an eBay page with new password set option, where the user only needs to enter a new password twice and has to submit it, in order to reset his eBay account password.

HERE THE VULNERABILITY RESIDES

Yasser noticed that instead of using the secret code, the new password HTTP request sends the same respective “reqinput” value that has been generated in the first request, when the user clicked on reset password and which is known to the attacker, as shown:

As Proof-of-Concept, the researcher targeted one of our team members’ temporary account with email address info@thehackernews.com. First he made a password reset request at eBay for the targeted email ID and saved the generated ‘reqinput’ value from the inspect element.

Then he directly crafted a new HTTP request to the eBay server at password reset form action with the known “reqinput” value, new password, confirm password and password strength parameters.

BANG!! He successfully able to reset our eBay account password without our team member’s interaction within a while.

LARGE SCALE AUTOMATED ATTACK

A sophisticated hacker could had launched an automated mass password reset request attack for all those email accounts which were leaked in previously reported massive eBay data breach.

The company has already patched the vulnerability after Yasser responsibly disclosed the flaw to the eBay security team. But, this 4 months delay in delivering the patch could have compromised millions of eBay users’ accounts in a targeted attack, even if you had changed your password after the data breach.

From last week, Google began paving the way to run Android apps on Chrome Operating System through the project named "App Runtime for Chrome", but the release came with a lot of limitations – it only supported certain Android apps and on Chrome OS only. At the launch, initially only 4 Android apps – Vine, Evernote, Duolingo and Sight Words – were added to the Chrome Web Store.

That was pretty exciting, but it merely whet the appetite of users hungry for more functionality. So, what if you could run more than just 4 Android apps on Chrome OS? And Also could run them on other operating systems as well?

A developer by the name of "Vlad Filippov" began working on it to stripped away the limits Google has imposed. He successfully figured out a way to bring more Android apps to Chrome, instead of just the four that are officially supported by Google.

The bigger success was that when Filippov got Android apps to work on any desktop Operating System that Chrome runs on. This means that now you are able to run Android apps on Windows, Mac, and Linux as well.

The process uses App Runtime for Chrome (ARC) – a Google project that allows Chrome to run native code safely within a web browser. Since ARC was only officially released as an extension on Chrome Operating System, but Native Client extensions are meant to be used on different platform.

So, in an efforts to do so, Filippov made a custom version of ARC, called ARChon, which supports both desktop Chrome and Chrome OS. However, there is one potential roadblock with the ARChon that it doesn't run Android app packages (APKs), which instead need to be converted into a Chrome extension. Now, that’s simply made possible by the use of "chromeos-apk", another Filippov’s tool, which as a result allows operating systems to support an unlimited number of Android APKs.

Install Node.js and Filippov’s chromeos-apk tool on a Linux system (it’ll work on a Chromebook running Ubuntu in Crouton, so you don’t necessarily need a separate computer).

Download an Android APK and then use the chromeos-apk tool to prepare the app to run on Chrome OS.

Copy the converted app to your Chromebook, type “chrome://extensions” (without quotes” in the URL bar, enable Developer mode, and then use the “Load unpacked extension” option to locate and install the app.

That’s all !! Not every Android app will work. Some apps that have been confirmed to work include Pandora, Twitter, Soundcloud, and Skype — although you have to do a little extra work to make Skype work. Some other apps such as XBMC, WhatsApp, Firefox, Opera, and Spotify do not work yet. You can even keep track of which APKs have been tested in the Chrome-apk subreddit.

Cyber criminals have exploited the power of two online advertising networks, Google's DoubleClick and popular Zedo advertising agency, to deliver malicious advertisements to millions of internet users that could install malware on a user's computer.

A recent report published by the researcher of the security vendor Malwarebytes suggests that the cyber criminals are exploiting a number of websites, including The Times of Israel, The Jerusalem Post and the Last.fm music streaming website, to serve malicious advertisements designed to spread the recently identified Zemot malware.

Malvertising is not any new tactic used by cybercriminals, but Jerome Segura, a senior security researcher with Malwarebytes, wrote in a blog post that his company “rarely see attacks on a large scale like this.”

"It was active but not too visible for a number of weeks until we started seeing popular sites getting flagged in our honeypots," Segura wrote. "That's when we thought, something is going on."

The first impressions came in late August, and by now millions of computers have likely been exposed to Zemot, although only those with outdated antivirus protection were actually infected.

According to Segura, the malicious advertisements lead users to websites containing Nuclear exploit kit, which looks for an unpatched version of Adobe Flash Player or Internet Explorer running on victim’s system. If found one, it downloads the Zemot malware, which then communicate it to a remote server and downloads a wave of other malicious applications.

However, by the time the malware was spotted, millions of computer machines may already have been exposed to Zemot, the researcher said, but at the mean time he also added that only those users with out-of-date antivirus software protection were actually infected by the malware.

The Zemot malware was identified by Microsoft earlier this month. According to Microsoft, Zemot is usually distributed not only by the Nuclear exploit kit but also by the Magnitude exploit kit and spambot malware Kuluoz. The malware focuses on computers running Windows XP, although it can also infect more modern operating systems running on x86 and 64 bit machines.

The malware can easily bypass the security softwares installed in the system before infecting computers with additional malware, therefore it is difficult to identify the attack it poses on a system.

A Google representative has confirmed the breach, and said that the team was aware of the breach and has since shut down all the affected servers which were redirecting malicious code, and have disabled the ads that delivered malware to user’s computers, reported The Verge.